Cyber Security Trial Inspections Summary Report
Cyber Security Trial InspectionsSummary ReportExecutive SummaryThe trial covered a range of industry groups, large and small COMAH Operators and a range of IACStechnologies including new and old installations, control and safety systems and electrical powersystems. A few of the Operators were also covered by NIS Regulations when they came into effectlater in May 2018.The Operators were a self-selecting volunteer group, and thus it was expected that the findings werelikely to be optimistic compared to the sector as a whole. However, these Operators had systems inplace and were addressing cybersecurity which allowed the OG 86 to be tested comprehensively. Itis expected that with the findings of this trial and the outcomes from the 2018-19 inspectionprogramme, a more detailed picture of the sector will emerge.The findings of the trial are presented using the NCSC cybersecurity principles using a RAG (red,amber, green) rating for partial compliance and full compliance for each of the principles. The partialcompliance was included to recognise that Operators may have started to address the issues but hadnot yet fully completed the work.The findings show some encouraging signs that Operators had started to address the issues andwere keen to know how to address the risks to their commercial operations proportionately to thelevel of risk and to demonstrate compliance.The key findings show there are large gaps to close to reach full compliance and manage the risks toALARP. However, progress was being made by all the Operators and the report shows areas ofpartial compliance.Whilst progress was made on system type security issues which covered technical controls, therewas less progress on other areas. These related to management systems including, proceduralcontrols, governance, competency, detection and recovery, and supply chain issues.There was some evidence in the newer systems that security through design was being built into thesystems. However, this was not consistent. This is an area that needs to be addressed by the vendorsand suppliers of systems.There were also learning points for HSE which included, allowing sufficient time for the inspections,building in cybersecurity specific HF issues, and incorporating NCSC guidance into the HSE OG so thatthere is a single source of authoritative guidance for the sector.It is recommended that industry addresses this risk at Board level and ensure that managementsystems are put into place that address governance, roles and responsibilities, procedural controlsappropriate to cyber security, and competency of staff. Operators should become familiar andtrained in cybersecurity and assessing risk so that they can act as the intelligent customer. This willallow significant progress to be made on quick wins as well as the more detailed technical controlsthat may be necessary and manage the risk on an ongoing basis.1
HSE can support the above by working in partnership with industry and providing proportionatetargeted guidance on how to assess and manage the risk and how compliance may bedemonstrated. There is perceived to be a gap in appropriate training and HSE can fill this gap.It is likely that it will take many years before the sector as a whole is managing the risksappropriately both for their commercial risk and to demonstrate compliance with the regulations.2
Table of ContentsExecutive Summary .1Background and Approach .4Background .4Trial Inspection Approach.4Summary of levels of compliance.5Conclusions .6Trial Inspection Operator Selection .6Compliance against the OG .6Differences between industry sectors.7Inspection approach and OG .7Recommendations for Industry .9Recommendations for HSE .9Appendix A – Example agenda .10Appendix B – Detailed levels of compliance.14A. Managing security risk.14B. Protecting against cyber attack .16C. Detecting cyber security events .18D. Minimising the impact of cyber security incidents .193
Background and ApproachBackgroundHSE published its operational guidance OG86 ‘Cyber Security for Industrial !utomation and ControlSystems (I!CS)’ in March 2017. Operational guidance is primarily aimed at HSE inspectors, providingthem with guidance on the standards expected to facilitate a consistent approach to regulation.However, the OG is also freely available to COMAH operators, providing useful guidance on howcompliance might be achieved.In order to test the OG, the inspection approach and also get an early sense of where variousindustry sectors were compared to the OG, a series of trial inspections were carried out betweenNovember 2017 and May 2018.Trial Inspection ApproachThe Operators involved in the trial: Participated voluntarilyWere all major hazards Operators, covered by COMAH or SAPOCovered a range of industry sectors including chemical manufacture, refining, fuel pipeline,gas terminal, industrial gases, microbiological (an explosives sector operator was initiallyinvolved put dropped out of the trial)Covered large and small COMAH Operators and a range of IACS technologies including newand old installations, control and safety systems and electrical power systemsIncluded some Operators that would be covered by the (then proposed) NIS Regulations –although it should be noted that the scope of the trial inspections did not consider risks toessential services.For each trial inspection the Operator was: Issued an agenda at least one month before the inspection (see example in appendix A)Requested to provide information to HSE about their cyber security management system,cyber security risk assessment and cyber security assets on site which was reviewed aheadof the inspection.Visited for a single day inspection (2 days for larger sites).Provided with a report of the outcomes of the inspection.Two HSE Specialist Inspectors were involved with each trial inspection – one leading (focussed onthe inspection itself) and one assisting and considering wider issues (e.g. inspection agenda, OG,etc.). Other HSE personnel and others (e.g. NCSC) also attended to observe the inspection processor for training purposes. It was noted that Operators sometimes also brought in wider audiencesfrom their organisation who were interested in HSE expectations.The trial inspections only considered MAH safety risk. There was no consideration of critical nationalinfrastructure issues (i.e. loss of essential services).However, during the trial period the NCSC issued its NIS principles and guidance and therefore thetrial inspection agenda and inspection reports were gradually changed to align with the headingsand content of the NIS principles and guidance. This change did not result in any significant changeof the OG requirements.4
Summary of levels of complianceThe level of compliance against the OG are summarised below, aligned to the NCSC NIS Principles.Each of the NIS principles has been summarised as either: red, amber or green based upon thenumber of operators that had partly (i.e. started to address) or fully achieved the objectives asfollows:PART (P)Most Operators had started to address /partially achieved most objectives ( 6/8)Some Operators had started to address /partially achieved some objectivesMost Operators had not started to address /achieved most of the objective ( 2/8)FULL (F)Most Operators had achieved most objectives( 6/8)Some Operators had achieved some objectivesMost Operators had not achieved most of theobjective ( 2/8)A more detailed breakdown is provided in appendix B where each individual objective has beenassessed.A. Managing security riskA.1GovernanceA.2Risk managementA.3Asset managementA.4Supply chainB. Protecting against cyber attackB.1Service protection policies and processesB.2Identity and access controlB.3Data securityB.4System securityB.5Resilient networks and systemsB.6Staff awareness and trainingC. Detecting cyber security eventsC.1Security monitoringC.2Proactive security event discoveryD. Minimising the impact of cyber security incidentsD.1Response and recovery planningD.2Lessons learned5P FP FP FP F
ConclusionsTrial Inspection Operator SelectionThe operators that volunteered for the trial inspections were recognised as a self-selecting group.Discussion indicated that the reasons for volunteering were: The operator believed that it was ahead of the industry in developing cyber security riskcontrols and wanted feedback from HSE on its progress to date without the potential costand enforcement associated with a normal inspection.The operator was making modifications (e.g. upgrades) to its IACS and therefore wanted toget early feedback on their approach rather than have to make changes later.The operators were already aware of cyber risks and that something would need to be done toaddress these risks.Therefore, it is likely to be the case that the level of compliance across the industry is likely to beoverall lower on average than seen at the trial inspections.Compliance against the OGCompliance has been judged in general against the issued OG, although this was augmented withsome of the emerging requirements of the NCSC NIS principles and guidance as the trial inspectionsprogressed.In summary: There were no Operators that had fully achieved all of the objectives. This was as expected– the OG was released just over one year before the trials and it would take time forOperators to fully comply. It is therefore useful to consider where progress has currentlybeen made.There was good progress with some Operators starting to address requirements withrespect to principle A (Managing Security Risk), i.e. setting up governance arrangements, riskand asset management. Note that part A4 (Supply Chain) requirements were not in theoriginal OG and therefore it is not surprising that this topic had not been addressed by mostsites.There was good progress with some Operators starting to address requirements withrespect to principle B (Protecting against Cyber Attack). This section covers both managerialand technical cyber security protective countermeasures.However they had not fully met the required objectives, for example:a. Full roles and responsibilities and associated competence requirements not definedor met with particular reference to the supply chain.b. Risk assessment not completed to defined countermeasures proportionate to theMAH risk and inadequate asset management.c. Technical measures (such as network access controls, device hardening, physicallogical and data access controls) not consistently implemented or managed.In particular the cyber security management systems (including competence management)were not well developed or formalised in most cases and therefore where cyber securitymeasures were in place, they were often not well managed.It was also noted that management of cyber risks was in many cases placed upon theoperator’s control and instrument (or equivalent) team. Whilst it was agreed that this isprobably correct, only a few Operators had provided additional resource to those teams.There was less progress on the mitigation countermeasures, i.e. detecting cyber events(principle C) and minimising their impact (principle D). Whilst there is clearly more work6
required on these topics by Operators, it is not unusual (or unexpected) that Operatorswould first focus on preventative measures before addressing mitigation measures.Whilst there was some evidence of improved “security by design” in newer systems, issuesassociated with legacy equipment are likely to persist – for example it was noted that newsystems installed were deployed with windows 7 which goes out of support in two years.This will be an issue that will need to be managed on an ongoing basis.Differences between industry sectorsThe differences between sectors was not analysed in detail (as this would reveal the participants andin any case there was only a small data set) but the following was noted: There were no major differences between the sectorsThere was overall better levels of awareness and compliance within Operator that havepreviously been considered as critical national infrastructure and therefore receivedguidance in the past.There was overall better levels of awareness and compliance for some of the larger multinational Operators – this was attributed to them recognising the business and reputationalrisk and therefore taking measures to reduce this.There was overall better levels of awareness and compliance for Operators that had newerequipment – i.e. evidence that some of the control system vendors were building moresecurity features into their equipment.Inspection approach and OGThe following general learning points were identified during the trials: Planned inspection time: Apart from the very large sites, the trial inspections were plannedto be one day on site plus associated preparation time ahead of the inspection and reviewand reporting time following the inspection. This was found to be insufficient to cover theagenda items and resulted in some of the aspects (typically CSMS) being addressed bycorrespondence. This was fed back at an early stage to the intervention planning processand additional time was allowed for inspections planned for 2018-19 work year – this shouldbe reviewed following these inspections. Secure data transfer: It is necessary to receive significant amounts of sensitive data toprepare for the inspection. The inspection report and letter sent back to the Operatorfollowing inspection is also likely to be considered as sensitive. During the trials, temporarysolutions were used such as removal of sensitive data, encrypted data and a secure emailservice that was used to send out inspection reports. A method of secure data transferneeds to be established for future inspections. This is being progressed, and HSE isreviewing security classification of such material. Human Factors: The topic of cyber security overlaps with a number of HF issues. Many ofthese (e.g. competence management, procedures etc.) are well known, already have HFguidance in place and could conceivably be addressed through existing inspection of thesetopics. However, some HF issues (e.g. insider threat and personnel screening andmonitoring) are new topics and require development. During the trials (and consistent withthe approach normally taken with other topics such as functional safety) these issues wereaddressed so far as they related to the EC&I discipline. However, there is a gap that needsto be addressed on these issues. This is being progressed by the HF team with support fromthe EC&I team.7
Duplication: The technical and managerial measures were split into different sections of theinspection agenda. Whilst this was appropriate in some cases, it led to repetition during theinspection (and report) in other cases. For example – there are both technical andmanagerial measures for logical access controls. It is recommended that where appropriate:a. Within the OG, there is clear cross-reference between the technical measures andassociated managerial measures.b. In the inspection agenda template, the technical measures and managerial measures arediscussed at the same time.c. In the inspection report template, there will need to be some consideration on how bestto report on these measures to prevent duplication.The OG, inspection agenda template and the inspection report template will need to be updatedto address these issues. NIS Guidance: The NIS principles and guidance were released during the trial inspections.Compared to the NIS guidance, there were a few omissions within the HSE OG (e.g. supplychain). Apart from these, there was broad agreement between the NIS guidance and HSEOG on the technical and managerial security countermeasures required. However, thestructure and breakdown of the requirements was different. The HSE OG provides alifecycle management approach to managing cybersecurity in line with what Operatorsalready do in managing functional safety. To ensure consistency between differentgovernment guidance, the HSE OG (since NIS guidance covers many different competentauthorities) will be updated to take account of the NIS guidance but keeping the existingoverall lifecycle management approach of the OG, thus providing a single sourceauthoritative guidance that can be used to comply with both safety and NIS regulations. NIS Cyber Assessment Framework: NCSC has now released their cyber assessmentframework (CAF) which can be used to assess (either self-assessment or by the regulator)Operator compliance against the NCSC guidance. NCSC does not expect all Operators tofully comply with all aspects of the NIS guidance, rather than the level of compliance will bedifferent for different sectors. For regulation, HSE requires a benchmark that representslegal compliance. Therefore:oIt will be necessary for HSE to establish the legal benchmark. This is largelycompleted through the existing OG and will be improved in the next version.oIn judging compliance against the benchmark, HSE will require to assess the level ofperformance or risk gap in order to determine appropriate and proportionateenforcement outcomes. These will need to be appropriate for both NIS andCOMAH. It is expected that this should be developed to closely integrate with theexisting performance scoring (10-60 scores) and the EMM.oNCSC would prefer that it is possible to relate performance of Operators againsttheir CAF profiles. This will require development to be able to equate the HSEperformance scores (10-60) against the HSE benchmark (OG) that is linked to a CAFprofile. This requires further development.8
Recommendations for IndustryAhead of any proposed regulatory activity under COMAH or NIS, industry is recommended toaddress the following points:1. At the management board level, recognise the cyber risk (both COMAH MAH and NISessential service where appropriate) and establish formal governance arrangements, policy,identify relevant roles and responsibilities, risk management and decision making processesand provide appropriate resources (in terms of people and capital).2. Identify competence requirements (based upon the roles and responsibilities) and put plansin place to improve competence. This should include general awareness as well as moredetailed technical competences.3. Become aware of relevant good practice – including the HSE OG86 edition 2 (now publishedin Dec 2018)4. Develop a risk assessment approach that is sufficient to identify what cyber securitycountermeasures will be required and put a plan in place to address the gaps that are found.The risk assessment approach should consider the risk (both COMAH MAH and to essentialservices where appropriate) and result in countermeasures that are proportionate to theMAH or loss of essential services risk.5. Outline the requirements for a cyber security management system (preferably as part of thewider management systems) and put plans in place to develop and implement the systems.Recommendations for HSEThe OG (and associated inspection agenda and reporting templates) should be updated to bringthese in line with the NCSC guidance and above findings.HSE has already committed to completing some cyber security inspections in this current (Apr 2018– Mar 2019) work year under COMAH. These should be done with the revised OG rev 2 and shouldcover risks from MAH risks and NIS, but without enforcements action on any NIS specific issues.Since the completion of the trial inspections, it has been confirmed that HSE will be carrying outsome of the regulatory activities for the Energy sector (oil and gas) for the NIS Regulations on behalfof the NIS competent authority (BEIS).As a result HSE should be developing a common regulatory approach for both NIS and COMAH withrespect to cyber security.Joint Industry and HSE RecommendationsA high level guidance should be developed aimed at senior management to support the operationalguidance. This work could be led by COMAH Downstream Oil Industry Forum (CDOIF) under thedirection of COMAH Strategic Forum (CSF).The high level guidance, aimed at senior managers should address the issues and risks to business,and raise awareness of cybersecurity so that senior managers can act on informed advice.9
Appendix A – Example agendaCOMAH Control & Instrumentation (C&I) InspectionSite:Date:Proposed agenda:Cyber security – baseline inspection against HSE OperationalGuidance: Cyber Security for Industrial Automation and ControlSystems (IACS).Information to be provided ahead of inspection: Cyber security management system documents, to include:o Definition of cyber security roles and responsibilitieso Competence requirements and how these are meto Relevant policy and procedures Simple network drawings and asset registers Cyber security risk assessment and countermeasures required including plans forimplementation of any gap analysis e.g. for existing (legacy) systems Please ensure that any other relevant information / documentation is available for theinspection and you have suitably competent personnel in attendance to assist withthe above agenda.1. Introductions and objectives of visit.2. Site overview Company to provide a brief overview of site operations and processes (i.e. mainoperating units) and the control and safety systems in use.3. Governance Overarching cyber security policy and management commitment and ownershipMonitoring and oversight4. Personnel Organisation, roles and responsibilities in relation to cyber security includingIACS Responsible Person(s).Screening of employees – pre-employment checks, monitoring behaviour andconflict of interestCompetencies and competence management. To include:o Definition of competency requirementso Meeting these requirements – training, experience, third partiesSecurity Culture5. Definition of IACS: CSMS procedure for identifying IACS assets, zones and conduits. Review of simple network drawing(s)oooEquipment, technologies and connections installed for the safe operationand monitoring of the processes with MAH risks, for example: PLCs(Process/SIS), HMIs, PC stations (Operator workstations, Servers,Engineering workstations).Network infrastructure for the IACS and connections to external networks(e.g. corporate LAN)Temporary connections e.g. portable PCs for PLC programming,10
oRemote access Review of asset register Management of obsolescence6. Risk assessment CSMS procedure for identifying IACS risk assessment Review of risk assessment findings Application of risk rankings to zones7. Definition and Implementation of Countermeasures CSMS procedure for defining and implementing countermeasures. Review countermeasures required Existing (legacy) systems Review additional SIS Considerations8. Procedural controls (as part of CSMS)A. Managing security riskA.1 Governance – covered aboveA.2 Risk management – covered aboveA.3 Asset management – covered aboveA.4 Supply chain Identification of third parties Security requirements and assurance of these Corporate networksB. Protecting against cyber attackB.1 Service protection policies and processes Security screening – covered above Configuration management (e.g. firewalls, VPNs, switches, WAP, VPN) Management of change (e.g. of firewall config, connections to IACS network) Auditing of policies and procedures.B.2 Identity and access control Definition of authentication methods Definition of users, devices and services requiring access (including device-todevice) Splitting access across roles Management – encryption key and password storage, distribution and revocation11
Physical access controls and management of these (key access or electronicaccess systems)B.3 Data security Specification of data security is protected at rest and in transit and sharingrequirements Identification of data required to safely operate and ensuring availability Data on devices Data not physically protected (e.g. Wi-Fi, radio)B.4 System security Device hardening (vendor guidance, BIOS, disabling ports, services applicationmanagement, default passwords etc.) Software / patch management on all IACSs assets including network devices.B.5 Resilient networks and systems Validation testing of countermeasures Operation oFile transfer and use (e.g. software patches, configuration data fromvendors etc.)oTemporary / remote operational access connections.MaintenanceoUpdating of security software (AV, IPS etc.)oTemporary / remote maintenance access including third parties, laptops,connections.B.6 Staff awareness and training – covered aboveC. Detecting cyber security eventsC.1 Security monitoring Awareness of threats (ICS-CERT, CiSP etc.) Aggregate, monitor, analyse and review security logs (windows, IPS, AV,networks etc.) Performance indicators Physical inspection to reveal tampering or physical access Management and oversightC.2 Proactive security event discovery Penetration Testing Enhanced MonitoringD. Minimising the impact of cyber security incidentsD.1 Response and recovery planning Backup, backup storage, restoration testing and restoration12
Incident response plant includingoRoles and responsibilitiesoIdentification, reporting and assessmentoInitial mitigation measuresoData collection and analysisoEscalation and recovery strategiesoEnd of incident Exercises Consideration of COMAH emergency responseD.2 Lessons learned Incident (real or exercise) investigation and review of incident response plan9. Site inspectionSampling of Accuracy of IACS network drawing and asset register Physical security controls Server / workstation countermeasures, e.g. hardening, software and patchmanagement Software versions and patch management Incident response10. Summary Feedback to site, any questions.13
Appendix B – Detailed levels of complianceThe level of compliance against the OG detailed requirements are summarised below split accordingto the NCSC NIS Principles.Each of the NIS principles has been assessed as either: red, amber or green based upon the numberof operators that had partly or fully achieved each objective as follows:PART (P)Most operators had started / partiallycompleted the objective ( 6/8)Some operators had started / partiallycompleted the objectiveMost operators had not started / partiallycompleted the objective ( 2/8)FULL (F)Most operators fully completed the objective( 6/8)Some operators had fully completed theobjectiveMost operators had not fully completed theobjective ( 2/8)A. Managing security riskA.1 GovernanceP FA.1.1A.1.2A.1.3A.1.4A.1.5A.1.6A.1.7Management aware of cyber risks to IACSManagement recognise and own safety risks associated with cyber risks to IACSPolicy for cyber security of IACSPolicy includes decision making process for addressing cyber risksMonitoring / oversight of IACS cyber countermeasures by managementRole of IACS Responsible Person identifiedAll IACS roles and responsibilities identified and recorded / briefedIn general it was noted that whilst there was general awareness, governance was not sufficientlydeveloped or formalised as would be expected for a MAH risk topic. At least in part this wasbecause of a failure to recognise the MAH risk due to cyber-attack – many only recognised abusiness impact only or not at all.A.2 Risk managementP FA.2.1A.2.2A.2.3A.2.4Risk assessment completed to appropriate standard considering MAH riskRisk assessment formally documented and review process in placeCountermeasure requirements defined for zones to address MAH riskSuitable gap assessment / implementation plan defined and resourcedMost operators had attempted some kind of risk assessment and identified some countermeasures.However in general, risk assessments, where completed, did not consider the MAH risk and weretherefore not adequate. In many cases selection of countermeasures was based upon gap14
assessment against a defined standard (typically internal) with no differentiation based upon MAHrisk.Many operators sought advice / guidance during the inspection on what a good risk assessmentwould look like.A.3 Asset managementP FA.3.1A.3.2A.3.3A.3.4Respon
of the inspection. Visited for a single day inspection (2 days for larger sites). Provided with a report of the outcomes of the inspection. Two HSE Specialist Inspectors were involved with each trial inspection -one leading (focussed on the inspection itself) and one assisting and considering wider issues (e.g. inspection agenda, OG .
the 1st Edition of Botswana Cyber Security Report. This report contains content from a variety of sources and covers highly critical topics in cyber intelligence, cyber security trends, industry risk ranking and Cyber security skills gap. Over the last 6 years, we have consistently strived to demystify the state of Cyber security in Africa.
What is Cyber Security? The term cyber security refers to all safeguards and measures implemented to reduce the likelihood of a digital security breach. Cyber security affects all computers and mobile devices across the board - all of which may be targeted by cyber criminals. Cyber security focuses heavily on privacy and
Cyber Vigilance Cyber Security Cyber Strategy Foreword Next Three fundamental drivers that drive growth and create cyber risks: Managing cyber risk to grow and protect business value The Deloitte CSF is a business-driven, threat-based approach to conducting cyber assessments based on an organization's specific business, threats, and capabilities.
Cyber Security Training For School Staff. Agenda School cyber resilience in numbers Who is behind school cyber attacks? Cyber threats from outside the school Cyber threats from inside the school 4 key ways to defend yourself. of schools experienced some form of cyber
Cyber crimes pose a real threat today and are rising very rapidly both in intensity and complexity with the spread of internet and smart phones. As dismal as it may sound, cyber crime is outpacing cyber security. About 80 percent of cyber attacks are related to cyber crimes. More importantly, cyber crimes have
DHS Cyber Security Programs Cyber Resilience Review (CRR) Evaluate how CIKR providers manage cyber security of significant information services and assets Cyber Infrastructure Survey Tool (C-IST) Identify and document critical cyber security information including system-level configurations and functions, cyber security threats,
Cyber security in a digital business world 68% of cyber security leaders will invest more in security as their business model evolves. 44% are using managed security services 21% report that suppliers and business partners were the source of a cyber attack in the last 12 months www.pwc.co.nz/gsiss2017 Cyber security in a digital business world
risks for cyber incidents and cyber attacks.” Substantial: “a level which aims to minimise known cyber risks, cyber incidents and cyber attacks carried out by actors with limited skills and resources.” High: “level which aims to minimise the risk of state-of-the-art cyber attacks carried out by actors with significant skills and .
